Threat behavior
Win32/Spybot is a network worm that targets certain versions of Microsoft Windows. The worm can spread through writeable network shares that have weak administrator passwords, or through peer-to-peer, file-sharing programs. It can also spread by exploiting various Windows vulnerabilities. Win32/Spybot also has a backdoor component that allows attackers to control an infected computer.
Installation
When Worm:Win32/Spybot is run, it copies itself to the %windir% or <system folder> as an executable. After copying itself to either folder, the worm modifies the registry to execute the worm copy at each Windows start.
Spreads via…
Random IP addresses having writeable network shares
The worm targets host computers by attempting to connect with randomly generated IP addresses and then attempting to copy itself to writeable shares on the target host. If successful, the worm creates a task on the remote computer to run itself there.
Peer-to-peer file sharing
The worm may copy itself to the share folder of a file-sharing application such as KaZaa. The worm uses social engineering (such as an enticing file name) that might invite a user on another computer to download and run the worm.
Computers connected to a local area network (LAN/WAN)
The worm could exploit one or more of eight Windows vulnerabilities that allow it to copy and run itself on a remote computer. For example, the worm can exploit the Windows vulnerability that allows an attacker to create a shell on the remote computer.
Payload
Allows backdoor access and control
The worm connects to a predefined internet relay chat (IRC) server and channel to allow remote unauthorized access to the infected computer. The backdoor allows an attacker to perform operations such as the following:
- Retrieve system information such as CPU speed, memory usage, Windows operating system, connection type, IP address, and Windows logon information.
- Send e-mail to other attackers.
- Start denial of service (DoS) attacks.
- Download and run files.
- Delete network shares.
- Redirect connections.
- Enable DCOM protocol.
- Scan for computers with weak administrator passwords.
- Scan ports.
- Set up a TFTP server or an HTTPD server.
- Log keystrokes.
- Gather CD keys of various games.
- List or terminate certain processes and services.
- Remove or uninstall the worm from the infected computer.
Analysis by Lena Lin
Prevention
